Oops, responded to wrong message... sorry Tony :)
> > I use PortSentry which works great, and helps to keep out
> > the little buggers. Problem is that sometimes that bugger
> > is me coming in from a new machine to test with. Once I do,
> > that machine is now banned via
> > /sbin/route add -host 1.2.3.4 reject
> >
> > How do I un-do the route command to allow access again ?
>
> I had the same problem, and I did figure it out in the end (damned if I can
> remember now though!), but I later realised that using route to block
> attackers is not the best option that you have with PortSentry. You'd be
> better off to configure PortSentry to use ipchains rather than route as that
> will drop all packets from the attacker as they ARRIVE rather than blocking
> the response.
>
> In /etc/portsentry/portsentry.conf (well that's where mine is anyway) change
> the KILL_ROUTE setting to look like this:
>
> KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
>
> It's much more secure than using reject routes, and much easier to remove in
> case of an error :-)
> Tony
Thanks, that's a better solution. So given this, is it correct to say that I
no longer need to have
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
since it should never get that far when blocked by ipchains.
That ipchain rule is also nice to stop the cable @home service from
"checking" my system. I don't need them to see port 80 (http - web),
although I have caught them scanning port 119 (nntp - news server) :)
Thanks... Dan.
